Windows MDM enrollment: configuration

[georgekarrv]

Goal

As an IT Admin, I want my Windows devices running Fleetd to enroll in the Fleet MDM server via MDM automatically. The MDM enrollment of Windows devices should occur once Windows MDM is activated through configuration. I should be able to select which teams should not be enrolled in MDM. The Windows device end user should not receive any visual indication that the device has been enrolled in MDM. The feature configuration could be done through UI or YML. See figma here.

Tasks

• [x] Desktop summary returned to windows host should indicate that Windows programmatic enrollment should be performed. This is passed through notifications feature.

  notifications.needs_windows_mdm_enrollment: true

• [x] Desktop summary returned to windows host should contain discovery endpoint to use (example url: https://<fleet_server_domain>/EnrollmentServer/Discovery.svc)

  config.mdm.windows.discovery_endpoint: "https://<fleet server>/EnrollmentServer/Discovery.svc"

• [x] Notification flag should be part of the notifications fleet server sends to fleetd (orbit)
• [x] Configuration could be performed through UI (see figma) or YML (fleetctl apply)
• [x] Available in Fleet Free to enable Windows MDM (excluding teams is only in Premium since Teams are Premium)
• [x] Only global admins or gitops roles can update those settings.
• [x] Can be switched off (disabled) after it was enabled, but only via fleetctl apply (or the corresponding API call)

[georgekarrv]

Hey team! Please add your planning poker estimate with Zenhub @gillespi314 @marcosd4h @roperzh

[mna]

@marcosd4h can you confirm what's the official team include/exclude option we want? The description mentions:

I should be able to select which teams should be enrolled in MDM.

But we discussed this morning having a list of teams to exclude , and the figma shows a variety of options (such as include/exclude windows Servers), I'm not sure which one we decided to go on with?

[marcosd4h]

@mna it should be an exclusion list. I've just updated the story details to reflect this.

The figma diagram to look into is the one below

[mna]

@marcosd4h @marko-lisica a few questions to finalize this ticket:

• Those settings are available in Fleet Free, right? Haven't seen any mention of this being Premium-only on the epic.
• What are the Fleet permissions for the user to be able to enable MDM? For now I assumed Global Admin and gitops, but I haven't seen this mentioned on the epic (https://github.com/fleetdm/fleet/issues/11952). If it's wider than global admin, we will need a new API endpoint (because the endpoint that can write the appconfig is global admin only, we've had a similar situation in Mac MDM).
• Is it confirmed that once enabled, the setting cannot be switched back to disabled? We mentioned this in some discussions, but I haven't seen it officially in the epic and the figma linked on the epic has a "Turn Off" button (https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?type=design&node-id=18214-228330&t=0zCeADfalSMPCT9L-0)
• About the name of the setting in the YAML, the figma linked from the epic calls it mdm.windows.mdm_enable which is a bit redundant? (https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?type=design&node-id=18214-228341&t=0zCeADfalSMPCT9L-0). The figma linked from the current ticket doesn't mention a name. I'd propose something like this:

  mdm:
    windows_enabled_and_configured: true
    windows_excluded_teams: 
      - team A
      - team B

Rationale is as follows:

// WindowsEnabledAndConfigured indicates if Fleet MDM is enabled for Windows.
// There is no other configuration required for Windows other than enabling
// the support, but it is still called "EnabledAndConfigured" for consistency
// with the similarly named macOS-specific fields, e.g. `mdm.apple_bm_enabled_and_configured`

// WindowsExcludedTeams is the list of team names that are excluded from the
// Windows MDM enrollment. Hosts that have Fleet Desktop installed and that
// are NOT part of those teams will be enrolled. Note that the setting stores
// team names instead of IDs because it may be set via 'fleetctl apply' and a
// YAML file, where names are used to identify entities (and this is
// consistent with the AppleBMDefaultTeam setting).

But happy to tweak however needed, especially if something was already agreed upon.

[marcosd4h]

Those settings are available in Fleet Free, right? Haven't seen any mention of this being Premium-only on the epic.

I assume yes, I'll let @zhumo confirm this

What are the Fleet permissions for the user to be able to enable MDM? For now I assumed Global Admin and gitops, but I haven't seen this mentioned on the epic (https://github.com/fleetdm/fleet/issues/11952). If it's wider than global admin, we will need a new API endpoint (because the endpoint that can write the appconfig is global admin only, we've had a similar situation in Mac MDM).

Global Admin and gitops sound right, @zhumo can you confirm this?

Is it confirmed that once enabled, the setting cannot be switched back to disabled? We mentioned this in some discussions, but I haven't seen it officially in the epic and the figma linked on the epic has a "Turn Off" button (https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?type=design&node-id=18214-228330&t=0zCeADfalSMPCT9L-0)

Yes, the setting can go back to disabled through fleetctl apply configuration. The UI however will not show the disable button

About the name of the setting in the YAML, the figma linked from the epic calls it mdm.windows.mdm_enable which is a bit redundant? (https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?type=design&node-id=18214-228341&t=0zCeADfalSMPCT9L-0). The figma linked from the current ticket doesn't mention a name.

The windows_enabled_and_configured proposed name sounds good, especially if same name pattern has been used on MacOS MDM

[mna]

@marcosd4h actually I just realized that Fleet Desktop is premium-only (ie. the GET /api/_version_/fleet/device/{token}/desktop endpoint that will receive the notification requires a premium license) so in light of this, it wouldn't make much sense to allow enabling Windows MDM on a Free license. I'll still let @zhumo confirm this but I'll start handling it as Premium-only in the meantime.

EDIT: I guess we may want to be able to enable MDM for other enrollment types (to be implemented in the future) without requiring Premium... On second thought I'll leave it Free to set it to enabled/disabled at the moment, even though it would only enroll hosts that have fleet desktop, so only Premium deployments would benefit from enabling this.

Yes, the setting can go back to disabled through fleetctl apply configuration.

Gotcha, I thought we wanted to explicitly prevent this. I'll allow it then.

Thanks!

[zhumo]

Yes should be free. Teams is the premium feature, but you should be able to have Windows MDM for a no-team Fleet instance (same as Mac).

In terms of permissions, I think it would be the global admin and gitops role. This setting is a global setting, not per-team.

[marcosd4h]

@mna The teams exclusion is no longer needed. So the configuration would look like this now and the windows_excluded_teams option is no longer required

  mdm:
    windows_enabled_and_configured: true

[marcosd4h]

though it would only enroll hosts that have fleet desktop, so only Premium deployments would benefit from enabling this.

@mna would this means that devices will need to have fleetd + fleet desktop to be mdm enrolled?

[mna]

@marcosd4h My understanding is that fleetd includes Fleet Desktop (is the catch-all name for orbit + fleet desktop)? @roperzh correct me if I'm wrong? Also AIUI the notifications struct that gets sent to the host is via the payload returned to the GET /api/_version_/fleet/device/{token}/desktop endpoint, which is called by Fleet Desktop.

[roperzh]

@mna @marcosd4h

My understanding is that fleetd includes Fleet Desktop (is the catch-all name for orbit + fleet desktop)?

that's right!

Also AIUI the notifications struct that gets sent to the host is via the payload returned to the GET /api/version/fleet/device/{token}/desktop endpoint, which is called by Fleet Desktop.

yes, it's a slightly different struct, but you're absolutely right.

only Premium deployments would benefit from enabling this.

this is a tough problem. In retrospect, sending a license error for this endpoint wasn't a good idea. We could have sent and enhanced response instead. I'm not sure if we can change this in a backwards compatible way 🤔

[mna]

Thanks, I think at this point I will create the PR and we can address any remaining details there, and if there's any feature changes I'd suggest we create new tickets to be tackled by subsequent PRs as needed. What's ready will allow us to unblock other features and generally get the ball rolling.

[roperzh]

@mna @marcosd4h I just realized: is there a particular reason why we're using Fleet Desktop for this? this would be typically an orbit task, and also solves our free vs premium problem.

[mna]

@roperzh @marcosd4h

is there a particular reason why we're using Fleet Desktop for this? this would be typically an orbit task, and also solves our free vs premium problem.

I think it's my fault, I assumed that this was Fleet Desktop because of the Notifications system, but didn't remember that we also have notifications for Orbit. I'll update the PR to use orbit instead, this will solve one of the points!

[fleet-release]

Fleetd enrolls, quiet, Windows MDM in the cloud. Ease for IT's crowd.